1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-12-21 04:50:55 +01:00

Prevent administrators from locking themselves out of applications

Summary: Ref T603. This could be a nicer UX, but limit the amount of foot-shooting that users can possibly do. You can still manage if you're really tricky ("Members of project X", then leave the project) but this should make it hard to make a mistake. It seems very unlikely any user ever intends to lock themselves out of an application.

Test Plan: Set an application's view policy to permissive ("Administrators") and nonpermissive ("No One") values. The former were accepted, the latter rejected.

Reviewers: btrahan

Reviewed By: btrahan

CC: aran

Maniphest Tasks: T603

Differential Revision: https://secure.phabricator.com/D7218
This commit is contained in:
epriestley 2013-10-04 15:13:58 -07:00
parent 1a5de83ad1
commit a600ab7731

View file

@ -75,6 +75,19 @@ final class PhabricatorApplicationEditController
$value[$phid]['policy'] = $result + $value[$phid]['policy']; $value[$phid]['policy'] = $result + $value[$phid]['policy'];
// Don't allow users to make policy edits which would lock them out of
// applications, since they would be unable to undo those actions.
PhabricatorEnv::overrideConfig($key, $value);
PhabricatorPolicyFilter::mustRetainCapability(
$user,
$application,
PhabricatorPolicyCapability::CAN_VIEW);
PhabricatorPolicyFilter::mustRetainCapability(
$user,
$application,
PhabricatorPolicyCapability::CAN_EDIT);
PhabricatorConfigEditor::storeNewValue( PhabricatorConfigEditor::storeNewValue(
$config_entry, $config_entry,
$value, $value,